Can We Secure the ‘Internet of Other People’s Things’?

The IoT, and the security thereof, represents the greatest business opportunity for the IT industry in the second half of the second decade of the 21st century.

The “Internet of other people’s things” is simply another way to describe the Internet of things in the hands of bad actors. The Internet itself has always been a playground for hackers, but the IoT—with all the inanimate, automated devices about to come online in the next few years—multiplies attack surfaces and network access points tremendously. So the playground will become a bigger greenfield for the bad guys and increasingly risky for everybody else.The Internet of other people’s things, or IoOPT, really translates into the “Internet of everybody’s things. ” While we enjoy the online benefits of buying goods and services, sharing documents and photos, playing games, watching videos and listening to music, the tradeoffs involving personal data privacy and the risk of online fraud or theft are always present.

This is the greatest opportunity for the IT business in the second half of the second decade of the 21st century: How exactly to keep the lines of Internet communication secure and trustworthy—that’s the key term—so that business and personal (as well as machine-to-machine) interactions can be conducted safely and without interference from any outside party? The company that can come up with that solution could become king of the IT world. Many are trying, but nobody has come up with a bulletproof solution for every type of hack attack. Sound like a pipe dream? Can this be accomplished? Those who see themselves as realists in an industry that is loaded with dreamers do not think so. Jeff Moss, a celebrated former hacker and founder of both the DevCon and the Black Hat security conferences, told eWEEK at the RSA Conference 2015 that he believes conventional security will never jump ahead of the hacker community with an ability to completely shut out all data breaches or other types of attacks. “I’d be really good with like 80 percent security, because we’re never going to get to 100 percent security,” Moss said. “And we don’t have anywhere near 80 percent yet. But if we got to 80 percent, that means we only have to work on the remaining 20 percent.”

Hot Topic at All Levels

The security of the Internet of other people’s things is becoming a hot topic at all levels and sizes of business, mainly due to national and international news stories about multimillion-dollar attacks on familiar companies, such as Home Depot, Michael’s, Target and others.Sami Luukkonen, global managing director for the Accenture’s Electronics and High Technology business, is seeing vendors of all shapes and sizes coming to his organization asking about IoT, and they’re all worried about security.”Security concerns have really been raised by industry players, due to media attention around cyber-attacks,” Luukkonen told eWEEK’s Sean Michael Kerner. “All the attention has really woken vendors up to the risks and consequences of an attack.”In the past year or so, the biggest security issue involved the privacy of consumer data, he said. Luukkonen sees the shift in focus to security as a sign of maturity in the IoT business.For many of the top vendors in electronics, IoT is at the top of their agendas for new initiatives, Luukkonen said.”The opportunity for IoT is tremendous, and everybody is going after it,” he said. “At the same time, vendors realize that they are introducing a huge number of open interfaces that could be open to attack.”

Not Only About the Bad Actors

However, the IoOPT isn’t only about bad actors. People, and not always bad guys, will be connecting (often by accident) with other people’s devices more often, and not just with phones and tablets. The sheer number of new URLs will fan this flame. Network flaws and crossed wires in networks also will contribute to this. Security will work well for some devices and networks and less well on other networks.IoT devices will mostly be embedded systems with lightweight operating systems, such as Linux. Each device will thus be a fully accessible server on the Internet with access to the rest of the Internet. There are already too many possible points of entry for security to be airtight, and with the IoT, these will be multiplied a hundredfold or more.

This is truly the Wild West. There are no IoT-related regulations involved at this early point—security or otherwise. Any entity can have as many IP addresses as they desire for use in any way they want. Scale-out IoT isn’t an issue; there appear to be no limits on the size and scope of networks, as long as there is bandwidth to run everything. With more entries into the Internet come more on-ramps for hackers.How will we stop a malicious third party who takes control of 1 million or 10 million inanimate devices? What will happen if that malicious third party decided to launch attacks using all those devices? This is happening now, and it will only be happening more often, but with more zombie devices.Security experts and industry organizations, such as CyberTech Networks, Cyber Hive and CyberTech Maryland, are doing well to get key decision-makers from the government, military, utilities, vendor community, education and the investment community together to discuss issues, such as information sharing, new products and trends.

CyberTech Network Event a Hit

A 90-minute discussion at RSA on April 22, hosted by San Diego-based CyberTech Network on this very topic, was attended by about 60 respected thought leaders, including White House Cyber-security Policy Chief Michael Daniel, former Symantec CEO Enrique Salem and Chertoff Group Principal Analyst Mark Weatherford.

As the IoT gets up and running, where is all the new data gathered from all the new devices going to live? The answer is the usual places: storage arrays, networks and servers on-premises and in the cloud that are hit all the time by hackers. But conventional protection of storage silos and servers has not succeeded. We need to get more granular with data security.New security schemes are now being built for this possibility, but it may take years for them to replace entrenched legacy enterprise security systems. Individuals can move faster on this. Until we start maintaining each of our own corners of the Internet with more care, our own devices will eventually become part of the IoOPT and in the control of bad actors. In fact, many of our devices are already part of that “bad actor” setup, and we don’t know it. Thus, the security and privacy of individual data files, using encryption and federated or two-step authentication whenever possible, is where this is all leading. Next-gen security will add a data-centric—not a system-centric—approach, and the industry is already moving toward it. eWEEK hosted its April eWEEKchat, titled “Can We Secure the Internet of Other People’s Things?” Here are some representative tweets from the eWEEKchat, which attracted a knowledgable community of commenters and lots of interaction back on April 8.